Looking at recent breach data, it is amazing how long an organization can be compromised without noticing it.
A quick review of the Verizon Data Breach Report or Mandiant M Trends report shows an organization can be compromised for more than 14 months before it learns of a breach. One can only conclude that either enterprises lack the proper intrusion detection capabilities, or detection technologies and processes are failing.
We as a society have to accept that compromises are going to happen; it is not a sign of weakness, merely a reality given the nature of today's advanced attacks. It is also clear that enterprises must do a better job with detection. Getting compromised for a few hours -- or even a few days -- is acceptable, but when a breach extends longer, especially more than 12 months, it is borderline negligence.
Rather than becoming frustrated, we have to ask the fundamental question, "Why?" Why are enterprises not detecting compromised systems? One reason is attackers increasingly rely on an obfuscation method using one of information security's best strategic defenses: cryptography.
Understanding encrypted command-and-control channels
People often say crypto stops an adversary from reading an organization's information; that is partially true. Crypto actually stops anyone from reading anyone's information, including stopping an organization from reading an adversary's information.
When a system becomes compromised, the adversary will set up an encrypted outbound, command-and-control (C2) channel, which bypasses almost all of an organization's network security defenses. The reason is simple: Most network security devices cannot read encrypted traffic natively, and therefore encrypted C2 traffic effectively enabled adversaries to go undetected on a network.
While outbound proxies initially were an effective way to decrypt and review encrypted C2 traffic, adversaries have figured out ways to work through this protection mechanism. Outbound network proxy servers are still recommended because they do effectively filter traffic and will stop some attacks. However, some organizations have too many egress points to effectively proxy all traffic, and it will not stop high-end adversaries who, with persistence, will find a way around the proxies. Therefore, another solution is needed; that solution is crypto-free zones.
Understanding crypto-free zones
Before introducing the concept of crypto-free zones, it is important to point out that: a) drastic times requires drastic measures; b) not all solutions work in all environments; c) solutions work when they are strategically deployed and aren't focused in on all segments; and d) try before you criticize.
The crypto-free zone system that I have successfully deployed with several clients involves making the last mile unencrypted communication. The idea is to create a heavily switched LAN that not only has cryptography detection, but also does not allow any encrypted communication. This has minimal to no impact on current network designs. Essentially, an organization needs only to deploy or utilize DLP or other similar technology that can detect and block encrypted communication.
After employing this concept, it is striking to watch what happens in terms of catching an adversary:
- Before the crypto-free zone: user receives an APT email, user opens attachment, system opens up an outbound encrypted C2 connection, bypasses all network security devices, and system is compromised for 14 months.
- After the crypto-free zone: user receives an APT email, user opens attachment, systems attempt to establish an outbound encrypted C2 connection, encrypted channel is detected and blocked, and system is now compromised for 14 seconds, not 14 months.
By creating this proxy-free zone, essentially we have taken the adversary's greatest strength (C2 encryption) and turned it into his biggest weakness. This change creates an environment that makes it easy to catch and control advanced attacks.
As stated in the warning, this technique does not work in all cases. For example, users by default should not be allowed to engage in personal Web surfing with personal identifiable information (PII), or transmit payment data because it would go unencrypted, but this could be fixed by giving users a separate computer that would be for personal use only. It is also important to note that crypto gateways, such as SSL, can be set up at the gateway to the network. Only the last mile (or local LAN) is unencrypted, but anything leaving the network can still be encrypted and protected.
Once again, I do not recommend deploying crypto-free zones across an entire organization, but rather suggest setting them up as opt-in programs. If a user shows that he or she cannot protect systems and data, and that they make bad judgments by clicking on attachments and getting infected, then policy should opt the user into the program and place him or her into a crypto-free zone. This has proven to be highly effective because people who have been compromised once by making a poor decision have a high likelihood of doing so again without special controls.
By thinking out of the box, creative solutions can be used to make it harder for the adversary and easier for enterprise defenders. Everyone often thinks of crypto as increasing security, but as discussed in this article, not using crypto can create an environment that actually increases security.
If you have an idea for a future article or are looking for a solution for a tricky information security problem, please contact Dr. Cole at firstname.lastname@example.org.
About the author:
Dr. Eric Cole is an industry-recognized security expert with more than 25 years of hands-on experience. He is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance state-of-the-art information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. He is actively involved with the SANS Technology Institute (STI) and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.
Learn about the pros and cons of SSL decryption for enterprise network monitoring.